Security at FlowForce

Your customer data deserves more than a password.

FlowForce stores some of the most sensitive data your business has—your customers, your deals, your conversations. Here is what we do to keep it safe, and what we expect from you. For PIPEDA, CASL, and a shared-responsibility overview, see our Trust page.

Encryption everywhere

TLS 1.2+ in transit. AES-256 at rest. Secrets and credentials are stored in a managed key vault.

Privacy frameworks

PIPEDA-aligned practices and CASL-aware messaging tools. GDPR-oriented where applicable. DPA on Enterprise.

Tenant isolation

Workspaces are isolated by tenant ID. Roles, permissions, and audit logs apply at the workspace level.

24/7 monitoring

Automated alerts for unusual sign-ins, brute-force attempts, and runaway usage. We act on them.

Honest disclosure first

The controls described on this page are real, but they are self-attested. We are still a young company and we have not yet completed a formal third-party audit. If you need a written security questionnaire response or a Data Processing Agreement before signing, talk to us. We will share what we have today and a clear timeline for what is coming.

1. How we encrypt your data

  • In transit: All traffic between your browser, the FlowForce API, and our infrastructure runs over TLS 1.2 or higher with modern cipher suites. HTTP redirects to HTTPS.
  • At rest: Customer data, including leads, deals, contacts, emails, and call metadata, is stored in encrypted databases and object storage using AES-256.
  • Backups: Database backups are encrypted at rest and stored in a separate region for disaster recovery.
  • Secrets and credentials: API keys, OAuth tokens, and integration secrets live in a managed key vault. They are never written to logs and are rotated when an incident requires it.

2. Authentication and access controls

  • Passwords: Stored as salted, slow hashes. We never see your plain-text password and cannot recover it.
  • Two-factor authentication: Available for every account. Recommended for admins and required where your workspace policy says so.
  • Passkeys: Register a passkey for passwordless sign-in on supported devices, alongside traditional credentials.
  • Social OAuth sign-in: Sign in or register with approved OAuth providers; link accounts in profile settings.
  • SSO and SCIM: Available on Enterprise. Bring your own identity provider (Okta, Google Workspace, Azure AD, or similar) and let us handle provisioning and deprovisioning.
  • Roles and permissions: Workspace owners can scope what every member sees and does. Audit logs record who made what change and when.
  • Suspicious activity: We rate-limit logins, detect impossible travel between sessions, and bot-protect sensitive endpoints with Cloudflare Turnstile.

3. Infrastructure

  • Hosting: FlowForce runs on top-tier cloud providers in hardened, multi-zone regions.
  • Network: Production systems run in private networks. Inbound access is limited to required ports and protected by a managed WAF and DDoS protection.
  • Internal access: Engineering access to production is limited to a small group, requires SSO and 2FA, and is logged.
  • Patching: Operating systems and base images are kept current. Critical CVEs are tracked and patched on a defined SLA.

4. Tenant isolation and your data

  • Every record is scoped to a workspace tenant. Queries that read or write data are constrained by the tenant ID derived from the authenticated session, not from client input.
  • Object storage paths and queues are namespaced by tenant. Cross-tenant access is not possible from the application surface.
  • You own Your Data. We do not sell it, we do not use it to train shared models, and we do not look at it without your permission outside of essential support and security activity.

5. AI and third-party providers

FlowForce uses approved AI providers (OpenAI and similar) to power Ask Flow, Meeting Assistant summaries, lead enrichment, and email drafting for data stored in FlowForce. We send only the minimum context needed for each request. Conversations are not used by the provider to train shared base models. If your industry requires strict no-retention controls, talk to us about Enterprise.

Google and Microsoft user data is never sent to third-party AI providers. Gmail, Outlook, and connected calendar content obtained through Google or Microsoft APIs stays within FlowForce and is not shared with OpenAI or similar services. See our Privacy Policy Section 3.

We work with a short list of vendors for hosting, email, payments, and integrations. Each one is reviewed for security posture and bound by a written agreement that requires data to be used only to provide the service.

6. Connected mailboxes and Meeting Assistant

  • Email OAuth: Gmail and Microsoft 365 / Outlook connections use scoped OAuth tokens stored encrypted. We access only what is needed to sync threads and send on your behalf when you trigger an action. Content from connected Gmail or Outlook accounts is not sent to third-party AI providers.
  • Meeting Assistant: When enabled, a bot may join scheduled video calls to produce transcripts and summaries. Hosts control send or cancel per meeting; recordings and text stay in your workspace.

7. Application security

  • Code review: Every change goes through pull-request review. We run static analysis and dependency scanning on each build.
  • Dependency hygiene: Vulnerable packages are flagged automatically. We track an internal SLA to upgrade.
  • Common-class protections: CSRF, XSS, SQL injection, SSRF, and similar classes are mitigated by framework controls plus per-route review.
  • Penetration testing: We run periodic third-party tests and welcome responsible disclosures from researchers (see Section 9).

8. Monitoring, logging, and audit

  • We log authentication events, admin actions, integration changes, billing events, and exports.
  • Logs are retained for security and compliance review and are protected from tampering.
  • Workspace owners can pull audit logs for their tenant, including who exported leads or changed permissions.

9. Backups, availability, and disaster recovery

  • Database backups run on a continuous schedule. Snapshots are encrypted and replicated to a secondary region.
  • We define and track recovery objectives (RPO and RTO) appropriate for a CRM workload.
  • We publish status and incidents on a public status page so your team always knows what is happening.

10. Vulnerability disclosure

If you think you have found a security issue in FlowForce, we want to hear about it. Please report it to security@flowforce.app. We respond to every report and will acknowledge receipt within two business days. Please give us a reasonable amount of time to fix the issue before public disclosure. We will publicly thank researchers who report responsibly, with permission.

11. Incident response

We maintain an incident response plan that covers detection, triage, containment, eradication, and recovery. If an incident affects your data, we will notify you in the timeline required by applicable law (GDPR or otherwise) and provide a clear write-up of what happened and what we changed to prevent it. We will not bury bad news in a footnote.

12. Privacy and data subject rights

How we collect and use personal data is described in our Privacy Policy. You and your end users have rights, including access, correction, deletion, and portability. Workspace owners can fulfill most of these inside the app. For anything you cannot do yourself, write to privacy@flowforce.app.

13. What we expect from you

Security is a partnership. To keep your workspace safe, please:

  • Use strong, unique passwords and enable two-factor authentication.
  • Remove members the day they leave your team.
  • Use roles and permissions to give each person the least access they need.
  • Connect only the integrations you trust and review their permissions periodically.
  • Tell us at security@flowforce.app if anything looks off.

13. Talk to us

Need a Data Processing Agreement, a security questionnaire response, or a custom call before signing? Email security@flowforce.app and we will get back to you fast.